Snarpy
02-04-2004, 12:14 PM
I've got a client who is choosing which SSL certificate to get, and this is my first experience with SSL also. He's already decided to purchase his own rather than a shared certificate.
He's deciding two things: which company and 40-bit or 128-bit. He was going to go with VeriSign until he discovered the 40-bit or 128-bit choice, and saw the price for the 128-bit.
It seems that the difference between Thawte and VeriSign is the warranty on VeriSign and the value of the name. Is there any other benefit to VeriSign that justifies the extra cost? (Especially since Thawte is owned by VeriSign...)
Are there any other companies that provide thorough underwriting? I looked into Equifax, which has been purchased by GeoTrust, and they have 10-minute processing. That doesn't seem too thorough.
About the difference between 40-bit and 128-bit - I'm confused, but I think I'm starting to understand. Here's some relevant information:
40-bit can be hacked in a brute force attack using a small network of desktop computers in 13 days. (Web Security, Privacy & Commerce by Simson Garfinkel, OReilly 2002).
From the VeriSign website:Secure Site Pro and Commerce Site Pro Services include 128-bit Global Server IDs, which enable 128-bit SSL encryption - the world's strongest - with both domestic and export versions of Microsoft® and Netscape® browsers. (Most people in the U.S. use export-version browsers). Secure Site and Commerce Site Services include 40-bit SSL Certificates, which enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer browsers, and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers.
I'm also aware that old browsers may not be compatible with 128-bit encryption and that the customer would need to update their browser. I know people who have had to do this.
So what I think I understand is that with a 40-bit certificate, the certificate negotiates with the browser and establishes the highest encryption the browser supports. A 128-bit certificate "forces" the browser to encrypt at 128-bits. (How, I don't know.) My friends that were asked to update their browser were probably sniffed and asked to upgrade since the site didn't want to have a 128-bit certificate. Am I right?
Last question. Right now the client is going to use PayPal and just wants to protect client info & order history but not credit cards. As soon as he can, he wants to get a merchant account and do the credit cards himself. I noticed that at VeriSign you can't upgrade a 40-bit certificate to 128-bit, but would have to buy new. What would you recommend?
Snarpy
He's deciding two things: which company and 40-bit or 128-bit. He was going to go with VeriSign until he discovered the 40-bit or 128-bit choice, and saw the price for the 128-bit.
It seems that the difference between Thawte and VeriSign is the warranty on VeriSign and the value of the name. Is there any other benefit to VeriSign that justifies the extra cost? (Especially since Thawte is owned by VeriSign...)
Are there any other companies that provide thorough underwriting? I looked into Equifax, which has been purchased by GeoTrust, and they have 10-minute processing. That doesn't seem too thorough.
About the difference between 40-bit and 128-bit - I'm confused, but I think I'm starting to understand. Here's some relevant information:
40-bit can be hacked in a brute force attack using a small network of desktop computers in 13 days. (Web Security, Privacy & Commerce by Simson Garfinkel, OReilly 2002).
From the VeriSign website:Secure Site Pro and Commerce Site Pro Services include 128-bit Global Server IDs, which enable 128-bit SSL encryption - the world's strongest - with both domestic and export versions of Microsoft® and Netscape® browsers. (Most people in the U.S. use export-version browsers). Secure Site and Commerce Site Services include 40-bit SSL Certificates, which enable 40-bit SSL when communicating with export-version Netscape and Microsoft Internet Explorer browsers, and 128-bit SSL encryption when communicating with domestic-version Microsoft and Netscape browsers.
I'm also aware that old browsers may not be compatible with 128-bit encryption and that the customer would need to update their browser. I know people who have had to do this.
So what I think I understand is that with a 40-bit certificate, the certificate negotiates with the browser and establishes the highest encryption the browser supports. A 128-bit certificate "forces" the browser to encrypt at 128-bits. (How, I don't know.) My friends that were asked to update their browser were probably sniffed and asked to upgrade since the site didn't want to have a 128-bit certificate. Am I right?
Last question. Right now the client is going to use PayPal and just wants to protect client info & order history but not credit cards. As soon as he can, he wants to get a merchant account and do the credit cards himself. I noticed that at VeriSign you can't upgrade a 40-bit certificate to 128-bit, but would have to buy new. What would you recommend?
Snarpy